Cyber Resilience

CVE-2026-6757

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0029 21.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6757 is a medium-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Mozilla Firefox. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-6757 is an invalid pointer vulnerability (CWE-824) in the JavaScript WebAssembly component of Mozilla products. It affects Firefox versions prior to 150, Firefox ESR prior to 140.10, Thunderbird prior to 150, and Thunderbird prior to 140.10. The issue stems from an access of an uninitialized pointer, which can lead to memory corruption when processing malicious WebAssembly content.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L), indicating that an unauthenticated remote attacker can exploit it over the network with low complexity but requires user interaction, such as visiting a malicious website or opening a crafted email in Thunderbird. Successful exploitation could result in limited impacts, including disclosure of sensitive information, minor modification of data, or partial denial of service due to application crashes or corruption.

Mozilla security advisories (MFSA 2026-30 through 2026-34) and the associated Bugzilla entry (bug 2013588) confirm the issue was addressed in the listed fixed releases. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to mitigate the risk, as no workarounds are specified in the provided references.

EU & UK References

Vulnerability details

Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1566 Phishing Initial Access
Adversaries may send phishing messages to gain access to victim systems.
Why these techniques?

Memory corruption in browser/Thunderbird WebAssembly enables drive-by compromise (T1189) via malicious sites, client-side exploitation for execution (T1203), and phishing delivery (T1566) through crafted emails/attachments.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2805Same product: Mozilla Firefox
CVE-2026-2785Same product: Mozilla Firefox
CVE-2026-6751Same product: Mozilla Firefox
CVE-2026-6748Same product: Mozilla Firefox
CVE-2025-8027Same product: Mozilla Firefox
CVE-2026-4721Same product: Mozilla Firefox
CVE-2026-2790Same product: Mozilla Firefox
CVE-2025-1011Same product: Mozilla Firefox
CVE-2026-2786Same product: Mozilla Firefox
CVE-2026-2795Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.10.0 · ≤ 150.0
mozilla
thunderbird
140.0 — 140.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that eliminates the uninitialized pointer flaw in WebAssembly handling.

prevent

Enforces memory protection mechanisms that can block exploitation of the invalid pointer leading to memory corruption.

SC-18 Mobile Code minimal match
prevent

Provides controls over mobile code execution that can limit processing of untrusted WebAssembly content until the browser is updated.

References